TLS failed to verify certificate when connect via IP #4
Description
Dear @KobeArthurScofield,
There is a long-standing problem with any Go app that uses TLS (e.g. doggo, dnslookup, dnscrypt, etc) in Windows 7. A user cannot connect to a DoH/DoT server by IP address alone, they must specify a domain. Otherwise, they see a certificate check error.
Let me illustrate it with Cloudflare DoH server: 1.1.1.1 vs one.one.one.one.
$ ver & go version
Microsoft Windows [Version 6.1.7601]
go version go1.24.4 windows/amd64
$ git clone ... && cd ... && go build ...
$ doggo ntp.ix.ru --short @https://1.1.1.1/dns-query
level=ERROR msg="error in lookup" error="Post \"https://1.1.1.1/dns-query\":
tls: failed to verify certificate: x509: certificate is valid for
1.0.0.1, 1.1.1.1, 162.159.36.1, 162.159.46.1, 2606:4700:4700::1001, 2606:4700:4700::1111, 2606:4700:4700::64, 2606:4700:4700::6400,
not 1.1.1.1"
$ doggo ntp.ix.ru --short @https://one.one.one.one/dns-query
194.190.168.1In comparison, C++ apps (popular browsers, dig…) connect to DoH by IP without issues.
$ dig -v
DiG 9.17.15
$ dig ntp.ix.ru +short +https @1.1.1.1
194.190.168.1Could you be so kind and help me find out if this is a problem with the patched Go SDK or a problem with the upstream Go network library (TLS component) itself?